过QQ游戏大厅的SX保护

【通知】3月21日21点至22点博客频道服务暂停公告免费下载《SKC易云解决方案》下载频道双倍下载分返还活动震撼出击！
CSDN 2011年度十大风云博客专栏评选火爆进行中！ CSDN社区3月技术大分享百本IT图书等你拿！

分类： VC/C/C++GAMEHACK2012-03-13 15:42137人阅读评论(0)收藏举报

早些时间看郁金香的教程，写过qq游戏练练看的挂，那时候CE附加QQ游戏大厅的时候貌似是没有任何保护的，昨天舍友让做个斗地主的记牌器，但是，我用CE附加的时候，被检测到了，其实不附加也会被检测，所以猜测可能只是检测窗口进程或是模块名称啥的吧，被检测到的时候主程序会退出，但是那个对话框还在，就是那个SX什么什么的，所以如果是QQgame启动了某个线程来检测非法的话，在主程序退出其他线程对象都释放掉的时候，那个检测的线程对象还是存在的（提示SX非法的对话框别关掉！）。借助pt很容易就找到了这个线程。

未开CE前线程状态：

过QQ游戏大厅的SX保护 - Evil0r's Blog - 博客频道 - CSDN_NET

开了CE被检测到后的线程状态：

过QQ游戏大厅的SX保护 - Evil0r's Blog - 博客频道 - CSDN_NET

然后该怎么办就不用说了吧，干掉这个线程就OK了。

若是嫌麻烦每次都要开pt找线程的话，可以写个结束这个模块内线程的程序

#include "stdafx.h"#include "windows.h"#include "TlHelp32.h"const TCHAR QQ_GAME[] = _T("QQGame.exe");const TCHAR QQ_THREAD_DLL[] = _T("TenSLX.dll");typedef enum _THREADINFOCLASS { ThreadBasicInformation, ThreadTimes, ThreadPriority, ThreadBasePriority, ThreadAffinityMask, ThreadImpersonationToken, ThreadDescriptorTableEntry, ThreadEnableAlignmentFaultFixup, ThreadEventPair_Reusable, ThreadQuerySetWin32StartAddress, ThreadZeroTlsCell, ThreadPerformanceCount, ThreadAmILastThread, ThreadIdealProcessor, ThreadPriorityBoost, ThreadSetTlsArrayAddress, ThreadIsIoPending, ThreadHideFromDebugger, ThreadBreakOnTermination, MaxThreadInfoClass } THREADINFOCLASS;typedef LONG (__stdcall *_pfnZwQueryInformationThread) ( IN HANDLE ThreadHandle, IN THREADINFOCLASS ThreadInformationClass, OUT PVOID ThreadInformation, IN ULONG ThreadInformationLength, OUT PULONG ReturnLength OPTIONAL );HANDLE m_GameProcessHandle;//记录QQ_THREAD_DLL信息BYTE * m_pmodBaseAddr; DWORD m_dwmodBaseSize;_pfnZwQueryInformationThread m_pfnZwQueryInformationThread;BOOL StartPatch();//PATCHQQ主函数DWORD EnablePrivilege (LPCTSTR name);//提权函数BOOL ListProcessModules(DWORD dwPID);//枚举指定进程的模块BOOL ListProcessThreads( DWORD dwOwnerPID);//枚举指定进程创建的线程，并结束掉QQ保护线程PVOID ShowThreadInfo(DWORD tid);//获取线程的起始地址int _tmain(int argc, _TCHAR* argv[]){ m_pfnZwQueryInformationThread =(_pfnZwQueryInformationThread) GetProcAddress (LoadLibrary(_T("ntdll.dll")),"ZwQueryInformationThread"); if (StartPatch()) { printf("可以CE附加QQ游戏大厅了n"); } else printf("失败！n"); return 0;}BOOL StartPatch(){ if(0!=EnablePrivilege (SE_DEBUG_NAME)) { return FALSE; } HANDLE hProcessSnap; PROCESSENTRY32 pe32; hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if( hProcessSnap == INVALID_HANDLE_VALUE ) { return FALSE; } pe32.dwSize = sizeof( PROCESSENTRY32 ); if( !Process32First( hProcessSnap, &pe32 ) ) { CloseHandle( hProcessSnap ); return FALSE; } BOOL bStartGame = FALSE; do { if (_tcscmp(pe32.szExeFile, QQ_GAME) == 0) { bStartGame = TRUE; m_GameProcessHandle = OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION, FALSE, pe32.th32ProcessID); if (m_GameProcessHandle == NULL) { return FALSE; } for (int i=0; i<5;i++) { if (!ListProcessModules(pe32.th32ProcessID)) { return FALSE; } } if (!ListProcessThreads(pe32.th32ProcessID)) { return FALSE; } } } while( Process32Next( hProcessSnap, &pe32 ) ); if (!bStartGame) { MessageBox(NULL,_T("运行QQ大厅后才能使用"),_T("提示"),MB_OK); return FALSE; } CloseHandle( hProcessSnap ); return TRUE;}DWORD EnablePrivilege (LPCTSTR name) { HANDLE hToken; BOOL rv; //设置结构 TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} }; // 查找权限值 LookupPrivilegeValue ( 0, name, &priv.Privileges[0].Luid ); // 打开本进程Token OpenProcessToken( GetCurrentProcess (), TOKEN_ADJUST_PRIVILEGES, &hToken ); // 提权 AdjustTokenPrivileges ( hToken, FALSE, &priv, sizeof priv, 0, 0 ); // 返回值，错误信息，如果操作成功，则应为ERROR_SUCCESS，为O rv = GetLastError(); // 关闭Token CloseHandle (hToken); return rv; } BOOL ListProcessModules(DWORD dwPID){ HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID ); if( hModuleSnap == INVALID_HANDLE_VALUE ) { return( FALSE ); } me32.dwSize = sizeof( MODULEENTRY32 ); if( !Module32First( hModuleSnap, &me32 ) ) { CloseHandle( hModuleSnap ); return( FALSE ); } do { if (_tcscmp(me32.szModule, QQ_THREAD_DLL) == 0) { m_pmodBaseAddr = me32.modBaseAddr; m_dwmodBaseSize = me32.modBaseSize; } }while( Module32Next( hModuleSnap, &me32 )); CloseHandle( hModuleSnap ); return( TRUE );}BOOL ListProcessThreads( DWORD dwOwnerPID) { HANDLE hThreadSnap = INVALID_HANDLE_VALUE; THREADENTRY32 te32; PVOID addr; hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); if( hThreadSnap == INVALID_HANDLE_VALUE ) return( FALSE ); te32.dwSize = sizeof(THREADENTRY32 ); if( !Thread32First( hThreadSnap, &te32 ) ) { CloseHandle( hThreadSnap ); return( FALSE ); } do { if( te32.th32OwnerProcessID == dwOwnerPID ) { addr = ShowThreadInfo(te32.th32ThreadID); if(((DWORD)addr>(DWORD)m_pmodBaseAddr)&&((DWORD)addr< ((DWORD)m_pmodBaseAddr+(DWORD)m_dwmodBaseSize))) { HANDLE oth=OpenThread(THREAD_ALL_ACCESS,FALSE,te32.th32ThreadID); //关闭这个线程 TerminateThread(oth, 0); } } } while( Thread32Next(hThreadSnap, &te32 ) ); CloseHandle( hThreadSnap ); return( TRUE );}PVOID ShowThreadInfo(DWORD tid) { PVOID startaddr; HANDLE thread; //thread = m_pfnOpenThread_ex(THREAD_ALL_ACCESS,FALSE,tid); thread=OpenThread(THREAD_ALL_ACCESS,FALSE,tid); if (thread == NULL) return FALSE; m_pfnZwQueryInformationThread(thread, ThreadQuerySetWin32StartAddress, &startaddr, sizeof(startaddr), NULL); CloseHandle (thread); return startaddr; }

上一篇：一个脑残壳的框架设计与实现

下一篇：由远程线程注入代码引出来的一些问题